Docker私有仓库registry

Posted 2021-01-01 alber

1、docker私有仓库的搭建与使用
    docker不仅有一个中央仓库，同时也允许我们搭建自己的私有仓库，如果读者对maven有了解，将很容易理解私有仓库的优势：
    1、节省带宽，镜像无需从中央仓库下载，只需要从私有仓库中下载即可
    2、对于私有仓库中已经有的镜像，提升了下载速度
    3、便于内部镜像的统一管理
2、下面我们来讲解一下如何搭建、使用私有仓库：
    1、准备两台安装有docker的Centos7的机器，主机规划如下：
        主机         IP               角色
        node1       192.168.56.11    docker开发机
        node2        192.168.56.12    docker私有仓库
3、安装、使用私有仓库
    1、使用域名搭建https的私有仓库
        1、首先修改两台机器的hosts,配置192.168.56.12到 docker.reg.com的映射，如果内部有 DNS，则不需要这样配置

echo ‘192.168.56.12 docker.reg.com‘>> /etc/hosts

操作方法：

[[email protected] ~]# echo ‘192.168.11.12 docker.reg.com‘>> /etc/hosts
[[email protected]-node2 ~]# 
[[email protected]-node1 ~]# echo ‘192.168.11.12 docker.reg.com‘>> /etc/hosts
[[email protected]-node1 ~]#

2、既然使用https，那么我们需要生成证书，本文讲解的是使用openssl自签名证书，当然也可以使用诸如Let’s Encrypt 等工具生成证书，首先在node2机器上生成key：

[[email protected] ~]# mkdir -p ~/certs
[[email protected]-node2 ~]# cd certs/
[[email protected]-node2 certs]# openssl genrsa -out docker.reg.com.key 2048
Generating RSA private key, 2048 bit long modulus
.........+++
......................................................................................................................................................................+++
e is 65537 (0x10001)
[[email protected]-node2 certs]# 
        生成密钥
[[email protected]-node2 certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout docker.reg.com.key -x509 -days 365 -out docker.reg.com.crt
Generating a 4096 bit RSA private key
........................................................................................................++
..............++
writing new private key to ‘docker.reg.com.key‘
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN           #你的国家
State or Province Name (full name) []:BJ       # 省份
Locality Name (eg, city) [Default City]:BJ     #城市
Organization Name (eg, company) [Default Company Ltd]:it      #组织名称
Organizational Unit Name (eg, section) []:it                  #组织单元名称
Common Name (eg, your name or your server‘s hostname) []:docker.reg.com      #域名
Email Address []:[email protected]163.com          #邮箱
[[email protected]-node2 certs]# 
[[email protected]-node2 certs]# ls
docker.reg.com.crt  docker.reg.com.key
[[email protected]-node2 certs]# 
这样自制签名就制作完成了

        4、 由于是自签名证书，默认是不受Docker信任的，故而需要将证书添加到Docker的根证书中，Docker在CentOS 7中，证书存放路径是/etc/docker/certs.d/域名：

node2端：
[[email protected]-node2 ~]# mkdir -p /etc/docker/certs.d/docker.reg.com
[[email protected]-node2 ~]# cp ~/certs/docker.reg.com.crt /etc/docker/certs.d/docker.reg.com/
[[email protected]-node2 ~]# 

node1端：将生成的证书现在到根证书路径
[[email protected]-node1 ~]# mkdir -p /etc/docker/certs.d/docker.reg.com
[[email protected]-node1 ~]# scp [email protected]192.168.56.12:/root/certs/docker.reg.com.crt /etc/docker/certs.d/docker.reg.com/
The authenticity of host ‘192.168.56.12 (192.168.56.12)‘ can‘t be established.
ECDSA key fingerprint is d7:ed:3d:79:50:c5:da:99:13:be:13:65:fe:5a:ec:a6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.56.12‘ (ECDSA) to the list of known hosts.
[email protected]192.168.56.12‘s password: 
docker.reg.com.crt                                                                                                         100% 2057     2.0KB/s   00:00    
[[email protected]-node1 ~]# ll /etc/docker/certs.d/docker.reg.com/
total 4
-rw-r--r-- 1 root root 2057 Aug 28 10:58 docker.reg.com.crt
[[email protected]-node1 ~]# 

重启node1和node2的 Docker
[[email protected]-node1 ~]# systemctl restart docker
[[email protected]-node1 ~]# 
[[email protected]-node2 ~]# systemctl restart docker
[[email protected]-node2 ~]#

5、在node2上启动私有仓库
首先切换到家目录，这一步不能少，原因下面的-v挂载了证书，如果不切换，将会引领不到证书

cd ~

6、启动docker私有仓库

1、创建Docker私有仓库目录
[[email protected]-node2 ~]# mkdir /opt/docker-image -p
2、启动docker私有仓库
[[email protected]-node2 ~]# docker run -d -p 443:5000 --restart=always --name registry2   -v `pwd`/certs:/certs -v /opt/docker-image:/var/lib/registry  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/docker.reg.com.crt   -e REGISTRY_HTTP_TLS_KEY=/certs/docker.reg.com.key  registry:2
Unable to find image ‘registry:2‘ locally
2: Pulling from library/registry
4064ffdc82fe: Pull complete 
c12c92d1c5a2: Pull complete 
4fbc9b6835cc: Pull complete 
765973b0f65f: Pull complete 
3968771a7c3a: Pull complete 
Digest: sha256:51bb55f23ef7e25ac9b8313b139a8dd45baa832943c8ad8f7da2ddad6355b3c8
Status: Downloaded newer image for registry:2
f5808ac5c389e81ac91458fa8160605b738b5aadd3f1b202ae5bb951b104b38b
[[email protected]-node2 ~]# docker ps 
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                   NAMES
f5808ac5c389        registry:2          "/entrypoint.sh /etc…"   32 seconds ago      Up 31 seconds       0.0.0.0:443->5000/tcp   registry
[[email protected]-node2 ~]#

其中，之所以挂载/opt/docker-image目录，是为了防止私有仓库容器被删除，私有仓库中的镜像也会丢失

7、在Docker开发机上pull镜像以及上传到私有库

[[email protected] ~]# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
be8881be8156: Pull complete 
32d9726baeef: Pull complete 
87e5e6f71297: Pull complete 
Digest: sha256:d85914d547a6c92faa39ce7058bd7529baacab7e0cd4255442b04577c4d1f424
Status: Downloaded newer image for nginx:latest
[[email protected]-node1 ~]# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
nginx               latest              c82521676580        4 weeks ago         109MB
[[email protected]-node1 ~]# 
[[email protected]-node1 ~]# docker images
REPOSITORY             TAG                 IMAGE ID            CREATED             SIZE
nginx                  latest              c82521676580        4 weeks ago         109MB
docker.reg.com/nginx   1                   c82521676580        4 weeks ago         109MB
[[email protected]-node1 ~]# 
[[email protected]-node1 ~]# docker tag nginx docker.reg.com/nginx:1
[[email protected]-node1 ~]# docker push docker.reg.com/nginx:1
The push refers to repository [docker.reg.com/nginx]
08d25fa0442e: Pushed 
a8c4aeeaa045: Pushed 
cdb3f9544e4c: Pushed 
1: digest: sha256:4ffd9758ea9ea360fd87d0cee7a2d1cf9dba630bb57ca36b3108dcd3708dc189 size: 948
说明已经push成功
[[email protected]-node1 ~]#

8、在Docker开发机上删除本地docker删除本地镜像缓存，从私有库pull镜像

[[email protected] ~]# docker images
REPOSITORY             TAG                 IMAGE ID            CREATED             SIZE
nginx                  latest              c82521676580        4 weeks ago         109MB
docker.reg.com/nginx   1                   c82521676580        4 weeks ago         109MB
删除本机缓存
[[email protected]-node1 ~]# docker rmi docker.reg.com/nginx:1
Untagged: docker.reg.com/nginx:1
Untagged: docker.reg.com/[email protected]:4ffd9758ea9ea360fd87d0cee7a2d1cf9dba630bb57ca36b3108dcd3708dc189
[[email protected]-node1 ~]# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
nginx               latest              c82521676580        4 weeks ago         109MB
[[email protected]-node1 ~]# docker rmi nginx
Untagged: nginx:latest
Untagged: [email protected]:d85914d547a6c92faa39ce7058bd7529baacab7e0cd4255442b04577c4d1f424
Deleted: sha256:c82521676580c4850bb8f0d72e47390a50d60c8ffe44d623ce57be521bca9869
Deleted: sha256:2c1f65d17acf8759019a5eb86cc20fb8f8a7e84d2b541b795c1579c4f202a458
Deleted: sha256:8f222b457ca67d7e68c3a8101d6509ab89d1aad6d399bf5b3c93494bbf876407
Deleted: sha256:cdb3f9544e4c61d45da1ea44f7d92386639a052c620d1550376f22f5b46981af
[[email protected]-node1 ~]# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
[[email protected]-node1 ~]# docker pull docker.reg.com/nginx:1
1: Pulling from nginx
be8881be8156: Pull complete 
32d9726baeef: Pull complete 
87e5e6f71297: Pull complete 
Digest: sha256:4ffd9758ea9ea360fd87d0cee7a2d1cf9dba630bb57ca36b3108dcd3708dc189
Status: Downloaded newer image for docker.reg.com/nginx:1
[[email protected]-node1 ~]# docker images
REPOSITORY             TAG                 IMAGE ID            CREATED             SIZE
docker.reg.com/nginx   1                   c82521676580        4 weeks ago         109MB
[[email protected]-node1 ~]#

9、Docker配置登录认证

在很多场景下，我们需要用户登录后才能访问私有仓库，那么我们可以如下操作：
建立在上文升成证书，同时重启docker服务的前提下，我们讲解下如何配置：

1、为防止端口冲突，我们首先要停止或删除之前已经启动好的私有仓库：

[[email protected] ~]# docker ps 
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                   NAMES
91c0b79e5aa1        registry:2          "/entrypoint.sh /etc…"   3 hours ago         Up 3 hours          0.0.0.0:443->5000/tcp   registry2
[[email protected]-node2 ~]# docker kill 91c0b79e5aa1
91c0b79e5aa1
[[email protected]-node2 ~]# docker ps 
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
[[email protected]-node2 ~]#

2、在node2机器上安装httpd-tools:

[[email protected] ~]# yum -y install httpd-tools

3、在node2机器上创建密码文件，并添加用户user1,密码user1:

[[email protected] ~]# cd ~
[[email protected]-node2 ~]# mkdir auth
[[email protected]-node2 ~]# htpasswd -Bbn user1 user1 > auth/htpasswd

4、在node2机器上切换到~ 目录，并启动私有仓库

[[email protected] ~]#docker run -d -p 443:5000 --restart=always --name registry3 

  -v `pwd`/certs:/certs 

  -v /opt/docker-image:/var/lib/registry  

  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/docker.reg.com.crt 

  -e REGISTRY_HTTP_TLS_KEY=/certs/docker.reg.com.key  

  -v `pwd`/auth:/auth  -e "REGISTRY_AUTH=htpasswd"   

  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" 

  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry:2

5、在Docker开发机重新push镜像到私有库

[[email protected] ~]# docker tag tomcat docker.reg.com/tomcat:2
[[email protected]-node1 ~]# docker images
REPOSITORY              TAG                 IMAGE ID            CREATED             SIZE
tomcat                  latest              690cb3b9c7d1        5 days ago          463MB
docker.reg.com/tomcat   2                   690cb3b9c7d1        5 days ago          463MB
docker.reg.com/tomcat   latest              690cb3b9c7d1        5 days ago          463MB
docker.reg.com/nginx    1                   c82521676580        4 weeks ago         109MB
[[email protected]-node1 ~]# docker push docker.reg.com/tomcat:2
The push refers to repository [docker.reg.com/tomcat]
ce40a8407fb4: Preparing 
44c236f0f89c: Preparing 
968b9f959aa6: Preparing 
44ffe8811308: Preparing 
a158c36dcac9: Preparing 
b6ffe8dd0a7c: Preparing 
1dccf0da88f3: Preparing 
d2070b14033b: Preparing 
63dcf81c7ca7: Preparing 
ce6466f43b11: Preparing 
719d45669b35: Preparing 
3b10514a95be: Preparing 
no basic auth credentials          提示不是被认证的
[[email protected]-node1 ~]# 
说明需要认证。

我们登陆一下，执行：
[[email protected]-node1 ~]# docker login docker.reg.com         #登录私有库
Username: user1
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded          #登录成功
[[email protected]-node1 ~]# docker push docker.reg.com/tomcat:2
The push refers to repository [docker.reg.com/tomcat]
ce40a8407fb4: Layer already exists 
44c236f0f89c: Layer already exists 
968b9f959aa6: Layer already exists 
44ffe8811308: Layer already exists 
a158c36dcac9: Layer already exists 
b6ffe8dd0a7c: Layer already exists 
1dccf0da88f3: Layer already exists 
d2070b14033b: Layer already exists 
63dcf81c7ca7: Layer already exists 
ce6466f43b11: Layer already exists 
719d45669b35: Layer already exists 
3b10514a95be: Layer already exists 
2: digest: sha256:037e17517ca8a656a2657beeeb4f2f15e6e20db8b12634c0dc2a2afd5e7ca89a size: 2836
[[email protected]-node1 ~]#